This all sounds great. On top of real issues, I am sure this will present exceptions being thrown here and there where we can make at the very least said exceptions carry meaningful messages instead of a mysterious IOOB or AIOBE.
I guess it all depends what I want to do with my nights and weekends :-p Gary On Mon, Jan 10, 2022, 06:27 Volkan Yazıcı <[email protected]> wrote: > I think fuzzing is a really promising practice we should integrate into our > CI pipeline to figure out certain defects. Here is my elevator pitch: > > 1. Fuzzing or fuzz testing <https://en.wikipedia.org/wiki/Fuzzing> is > an > automated software testing technique that involves providing invalid, > unexpected, or random data as inputs to a computer program. > 2. Jazzer <https://github.com/CodeIntelligenceTesting/jazzer> is a > fuzzer for JVM applications and open-sourced by Code Intelligence. > 3. OSS-Fuzz <https://github.com/google/oss-fuzz> is Google's automated > platform (including Google-provided build nodes!) to fuzz some > noteworthy > F/OSS projects. > 4. [2021-04-10] OSS-Fuzz adds Jazzer support > <https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html > >. > 5. [2021-12-13] Fabian Meumertzheim of Code Intelligence detects Log4j > CVE-2021-44228 in ~5 min with a one-line fuzz target > <https://twitter.com/fhenneke/status/1470377931230875650?s=20>. > 6. [2021-12-15] OSS-Fuzz adds Log4j to their suite > <https://github.com/google/oss-fuzz/pull/7016>. > > Though this is just the beginning. Somebody needs to spend some serious > amount of time to enrich the fuzz tests and cover as many Log4j entry > points as possible. > > I am tinkering with the idea of a Kickstarter-like initiative to sign up > for this. Maybe as a 2-months-long gig? > > Thoughts? >
